This is the way Google says we can all cut down on security threats
Google security experts urge companies to invest in comprehensive fixes
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Security researchers atGooglehave called 2020 the year ofzero-day exploitsowing to the large number of these vulnerabilities that were detected and fixed last year.
In a year-in-review post, the researchers shared that while they are still a long way off from detecting the zero-day exploits in the wild, surprisingly a quarter of them stem from previously disclosed vulnerabilities and could have easily been prevented.
“1 out of every 4 detected 0-day exploits could potentially have been avoided if a more thorough investigation and patching effort were explored,” wroteMaddie Stone, a security researcher in Google’sProject Zeroteam.
Fool me twice
According to Stone, last year Project Zero unearthed 24 zero-day exploits that were being actively used in the wild.
In her post, she breaks down six of them to reveal how they were related to previously disclosed vulnerabilities. “Some of these 0-day exploits only had to change a line or two of code to have a new working 0-day exploit,” she writes.
As she breaks down the six vulnerabilities the team discovered in Chrome, Firefox, Internet Explorer,Safari, and Windows, Stone notes that they were the result of improper fixes. Surprisingly, her analysis also revealed that three of the vulnerabilities that were patched in 2020 were again “either not fixed correctly or not fixed comprehensively.”
Stone asks vendors to make all the investment required to release correct and comprehensive patches for vulnerabilities that cover all its variants: “Many times we’re seeing vendors block only the path that is shown in the proof-of-concept or exploit sample, rather than fixing the vulnerability as a whole, which would block all of the paths.”
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Stone also puts some onus on the security researchers as well who should do a better job of following up and testing the patch.
“We would really like to work more closely with vendors on patches and mitigations prior to the patch being released,” she suggests, adding that “early collaboration and offering feedback during the patch design and implementation process is good for everyone. Researchers and vendors alike can save time, resources, and energy by working together, rather than patch diffing a binary after release and realizing the vulnerability was not completely fixed.”
Via:ZDNet
With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.
Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics
This new phishing strategy utilizes GitHub comments to distribute malware
Arcane season 2 finally gave us the huge Caitlyn and Vi moment we’ve been waiting for – and its creators say ‘we couldn’t have done it in season one’
